Announcement

Collapse
No announcement yet.

Security concerns with member.php ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security concerns with member.php ?

    Hi,

    I just discovered that people access to my member.php page with some strange URL.

    Apache extract : "tsa9.elaninet.com forum.seigneurs.org - [10/Mar/2009:00:09:35 +0100] "GET /member.php?u=193%3C/td%3E%0A%09%09%09%09%3Ctd%20width=17%20background=http://www.jeilnojo.or.kr/images/re_06.gif%3E%3C/td%3E%0A%09%09%09%3C/tr%3E%0A%09%09%09%3Ctr%3E%0A%09%09%09%09%3Ctd%20colspan=3%20height=15%3E%3Cimg%20src=http://www.jeilnojo.or.kr/images/re_07.gif%3E%3C/td%3E%0A%09%09%09%3C/tr%3E%0A%09%09%09%3Ctr%3E%0A%09%09%09%09%3Ctd%20colspan=3%20height=20%3E%3C/td%3E%0A%09%09%09%3C/tr%3E%0A%09%09%09%0A%09%09%09%3Ctr%3E%0A%09%09%09%09%3Ctd%20height=5%20colspan=3%3E%3Cimg% 20src=http://www.jeilnojo.or.kr/images/re_01.gif%3E%3C/td%3E%0A%09%09%09%3C/tr%3E%0A%09%09%09%3Ctr%3E%0A%09%09%09%09%3Ctd%20width=11%20height=18%20background=http://www.jeilnojo.or.kr/images/re_02.gif%3E%A0%3C/td%3E%0A%09%09%09%09%3Ctd%20width=502%20bgcolor= HTTP/1.1" 200 29776 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1"

    And it seems to use this page for sending spams around the world.

    I have last version 3.8.1.

  • #2
    It looks like they are customizing their profile and the system is submitting that to the server.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
    vBulletin 5 Documentation - Updated every Friday. Report issues here.
    vBulletin 5 API - Full / Mobile
    I am not currently available for vB Messenger Chats.

    Comment


    • #3
      Originally posted by Wayne Luke View Post
      It looks like they are customizing their profile and the system is submitting that to the server.
      My hosting compagny said me that member.php is used to send spam mail. They made a chmod 000 on my member.php file for "security concerns".

      I try so see if i find more.
      Last edited by Rohel; Wed 11th Mar '09, 7:53am.

      Comment


      • #4
        You should ask them for the proof of that. If they can't provide it then you need to find a new hosting company.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud customization and demonstration site.
        vBulletin 5 Documentation - Updated every Friday. Report issues here.
        vBulletin 5 API - Full / Mobile
        I am not currently available for vB Messenger Chats.

        Comment


        • #5
          I asked the proof of the hack and they sent me this :

          "g051211.dynamic.ppp.asahi-net.or.jp forum.seigneurs.org - [08/Mar/2009:15:32:26 +0100] "GET /member.php?u=19375 HTTP/1.1" 200 10444 "http://www.zin.net/cgi-local/search/search.cgi?category=Davao" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
          g051211.dynamic.ppp.asahi-net.or.jp forum.seigneurs.org - [08/Mar/2009:15:32:28 +0100] "GET /clientscript/vbulletin_important.css?v=381 HTTP/1.1" 200 1674 "http://forum.seigneurs.org/member.php?u=19375" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
          g051211.dynamic.ppp.asahi-net.or.jp forum.seigneurs.org - [08/Mar/2009:15:32:28 +0100] "GET /clientscript/yui/yahoo-dom-event/yahoo-dom-event.js?v=381 HTTP/1.1" 200 31637 "http://forum.seigneurs.org/member.php?u=19375" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
          g051211.dynamic.ppp.asahi-net.or.jp forum.seigneurs.org - [08/Mar/2009:15:32:29 +0100] "GET /clientscript/yui/connection/connection-min.js?v=381 HTTP/1.1" 200 11602 "http://forum.seigneurs.org/member.php?u=19375" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322)""

          I don't understand what it means.

          Comment


          • #6
            Any idea ? Does that means there's a security concern with Vbulletin ?

            Comment


            • #7
              I don't see how that is any evidence of hacking. Also search.cgi is not a vB file.
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment


              • #8
                When you look at those, the first URL is the URL being requested from the server. The second URL is the referrer or the page that sent the request.

                So someone clicked on a link to load a user page on your site from a search engine. That page then loaded three javascript files so that it could function properly. Files that are included with vBulletin when you downloaded it.

                There are no signs of hacking which would be indicated by an SQL query in the request, html code to force a redirect or something malicious. If this is all the evidence your host company has, then you need to find a new hosting company. Hopefully one with the very basic understanding of how the internet works and how to read web logs.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                vBulletin 5 Documentation - Updated every Friday. Report issues here.
                vBulletin 5 API - Full / Mobile
                I am not currently available for vB Messenger Chats.

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...
                X